Restricting access by arbitrary certificate extension
am 06.05.2009 06:49:46 von Zhumabekov YerdenThis is a multi-part message in MIME format.
--------------000808010101020202040508
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
mod_ssl can perform client authentication on certificate in=20
Apache and client authorization on certain certificate extensions. We=20
are setting up CA here and we want to restrict access to certain website=20
by checking the presence of certain certificate extension using its OID.=20
The syntax which mod_ssl is forcing us to use is the following:
=20
SSLRequire â=9Csome stringâ=9D in OID(â=9C1.2.=
3.4â=A6..â=9D)
=20
As you can see, we need to match this string exactly in extensionâ=99=
s=20
value. We can encounter problem with this, because this extension may=20
not be listed in openssl list of valid extensions=20
(crypto/objects/objects.h). As I learned the mod_ssl and openssl code,=20
mod_ssl would not be able to match the string because the object of this=20
OID does not have valid NID in openssl. OpenSSL seems incapable of=20
determining the type of arbitrary extension we want to use as=20
restricting factor. Hence, mod_ssl can not even extract its value from=20
certificate.
Well, I poked around the problem for some time and found no=20
other way than to patch mod_ssl by adding one new function in=20
ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid()=20
and ssl_expr_eval_oid() but does not intend to extract the value of=20
certificate extension. I also added some change to ssl_expr_eval_comp(),=20
so if you supply the zero-length word in SSLRequire, it uses my new=20
function instead of ssl_expr_eval_oid(). So, the new syntax is like this:
=20
SSLRequire ââ in OID(â=9C1.2.3.4â=A6=
...â=9D)
=20
If you are aware of more attractive and â=9Crightâ=9D=
way to make=20
it, please acknowledge. My patch for apache-2.2.11 is attached.
--=20
Zhumabekov Yerden
--------------000808010101020202040508
Content-Type: application/gzip;
name="apache_oid_presence.patch.gz"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="apache_oid_presence.patch.gz"
H4sICEofAEoAA2FwYWNoZV9vaWRfcHJlc2VuY2UucGF0Y2gArVXbbtpAEH0u XzF9M9gG2wmp
kpY0vVCpFQIppFLfLMceh03MLl0vgSjNv3fGNnc3bdVaGMzsXM6cObtORJqC O4zmGtrtzsSY
WeIG7aDt+22VJZ2pSuYZ5p08z/gOcTnTId5HWTuG9nOrDdd1/zbji8DzXrl+ 4Ppd8I/PjoMz
ivFWF9jeiec1bNt+vjJnOXW9Ln3APzk78s+63kGWiwtwj06cE7Dp+xVcXDSg AbmJjIjh/Wg0
ANjJGsZqOrM0fp9jbkKNMbSctQe0mq/XwfEkIsNu8ELp5Nlge7syr8QTjO9C JZJwpjFHGeNu
vHYgVjI3VTlyzI3eQlHXAjk9m4RR/iZtXXPpXMZhKjLc77B03ooW0sA+KMof T2cZLq3SfSuM
R+QHPk3H9oPA8b1iSvuXSMFSM+j1QM3CkUgGIjf9DKcoTRMeD/35qvo9gh7U DcoBPGLYDbcu
OFVzmRxEFuQ6sPDp5mC7LpSxUsMZSmvhN+FlD7xmvec/FsIsxz9LXCe0KjPU k9dpwdUENcJC
ZBlcI0gFU6X5N8EclAQzQchoDCRyVfyhzPPMgMghmpuJ0oL1cI/Q6tSXuNYY 3ZUCCLpd3qRB
99Q57u4IQKOZawnMSaR19ECAnwjzf9pKDfuxJJBFGxNhhgjzHLitGC/SV331 4NO7wbhfrXzr
eqfQWuZkHn4dDCrru/HQD0fvv/Q/XBU1KvN4PPigpLxkIASWgEiKmz6wke5U 3FjaPWczxkYo
yQMvI2kMRot7ETGL9kpdJXreDVwbfvyAddYDk3tODyv7lg4rYlc9rct9RIN6 KiQWM6VKsECI
aPCZUndC3pCu9A4YRkPdUNehWZpAXd9W+Bzwm811ZXjc1O5fXoZxhhGJXWul rW2B7+Fi09MW
PEZiCmFG8gFwaVDmxFhOEywAx6jN2118xZBoBOENmnCGqEN2EqmII4PWNk0b uETgBpK1UgYP
vchCdcPCSMnLIG+nwd80MVB0lql71BDR5to04fCzjmJTtEL7TGhMeAb5uiNm 37pllb6GW3hT
ipYebXsHQIG0/+2qPxx/Hg2hRXn38BNy0vlGaSu6eI50Vlvk4p7TMEmRDkOo 6XLVa7U9ri6/
9g9OqmqTr61Pe2wUkFKNyExWfr+SR8VqWZBsnAT2D4L/8CZsrN4ofCrQUfAT CWkNIj0JAAA=
--------------000808010101020202040508--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org